Plaintiffs sued Neiman Marcus on behalf of a putative class alleging claims arising out of a 2013 data breach. Neiman Marcus informed its customers (in 2014) that an attack had occurred and 350,000 cards had been exposed. Neiman Marcus first learned of fraudulent charges in December 2013, but according to plaintiffs, Neiman Marcus kept the information confidential so as to not disrupt the “lucrative holiday shopping season”. Neiman Marcus’s position was that while card information was compromised, no other sensitive information was exposed. Neiman Marcus also offered one year of free credit monitoring and identity-theft protection to customers that had made card purchases within a certain time period.

Plaintiffs asserted a variety of claims, including negligence, breach of implied contract, unjust enrichment, unfair business practices, invasion of privacy, and violations of state data breach laws. The district court granted Neiman Marcus’s 12b6 motion to dismiss. On appeal, the Seventh Circuit reverses.

Plaintiffs alleged two categories of imminent injuries: (1) increased risk of future fraudulent charges, and (2) greater susceptibility to ID theft. They also alleged present injuries: (1) lost time resolving fraudulent charges; (2) lost time and money protecting themselves against ID theft; (3) loss from having shopped at Neiman Marcus now they made were aware of its shoddy data security practices; and (4) loss of control over their personal information.

Risk of Future Harm Sufficient: As to the people who have already seen fraudulent charges and expended the time to “sort things out,” the court says that they clearly have standing. The court also says that plaintiffs who are apprehensive about future unreimbursed charges and who take preventative measures likewise satisfy standing. Neiman Marcus argued that the common practice of credit card companies is to reimburse for such fraudulent charges and thus preventative measures are unnecessary, but the court says this places a spin on the facts. Bank reimbursement policies are not definitive and universally applied. While the risk of harm was for something that is likely to occur in the future, this does not preclude standing under Clapper, a recent Supreme Court case. (As cited by the court, a recent case from the Northern District of California came to a similar conclusion.) The court also notes that requiring plaintiffs to wait until future harm comes to pass puts them in an evidentiary catch 22. The longer the time elapsed, the more difficulty they will have showing that the injury is “fairly traceable” to defendant’s conduct. Ultimately, the court says that the very nature of this type of a intrusion supports the risk of harm:

Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.

Current Mitigation Efforts Sufficient: The court also says that current mitigation efforts are also sufficient provided that the future harm is non-speculative.

It is telling that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who [may have been affected].

Neiman Marcus’s offering of this protection itself shows that the risk is non-speculative, and this also suffices as concrete injury. This is consistent with the First Circuit’s ruling in the Hannaford case.

Other Injuries Likely Insufficient: The court is skeptical of the other asserted grounds for standing. The “we overpaid” argument likely does not work here, because those claims are typically product-specific (or involved specific representations or charges relating to security). The mere loss of personal information on its own is insufficient because plaintiffs do not allege that they could sell their personal information for value. Plaintiffs sought to rely on recently enacted state data breach laws to support a “recognized state-law right,” the invasion of which would support standing. However, the two statutes cited by the parties (California and Illinois) failed to confer standing. The California law expressly noted that delayed notification is not a cognizable injury, and the Illinois statute requires “actual damages”.

The Other Standing Requirements Are Satisfied: The court also says the other standing requirements are satisfied. The injury is “fairly traceable” to Neiman Marcus. The fact that some other data breach may actually be the cause of the data exposure does not negate standing. The claims also satisfy the redressability requirement. The credit and debit card rules do not always make plaintiffs whole—their “zero liability” policies is a feature and not a requirement of law.

___

It’s tough to call a trend, but courts are certainly warming up to the standing arguments raised by data breach plaintiffs. Early decisions readily kicked these claims on standing grounds, but as this court notes, this is the third decision to find standing for data breach plaintiffs (and the second appeals court). (See also “Android and Pandora Privacy Rulings Accept Low Hurdle for Standing,” discussing standing in the context of company privacy practices and voluntary disclosures.)

The big question that remains is whether plaintiffs will succeed on the merits. (And perhaps whether their claims are amenable to resolution on a class-wide basis.) Those are tougher questions to answer, and at least a few plaintiffs in similar circumstances have lost on the merits. Will this ruling result in a flurry of successful data breach claims? It’s unclear, but a win on standing still leaves plaintiffs a long way to go.

The decision is interesting in its exploration of credit and debit card refund policies. While these rules are always mentioned in data breach cases, this decision gets more into detail than is typically the case.

The court is careful to distinguish this case from Spokeo, the standing case pending in front of the Supreme Court, signaling that even an adverse ruling to the plaintiffs in Spokeo should not affect the result here.

Eric’s comments:

1) I think the “fairly traceable” question deserves more analytical consideration. Now that virtually every major retailer has been hit by data breaches, how do we know that any particular consumer’s credit card was misused due to any specific breach? It reminds me of the tort law doctrine (the name escapes me now) where we hold all industry vendors of a harmful drug liable even if we can’t prove which vendor made the drug consumed by any particular plaintiff.
2) It’s harsh to use Neiman Marcus’ own efforts to remediate the problem (by voluntarily offering credit card monitoring services) as the basis of punishment against it. I wonder this will encourage companies to rethink being proactive about such benefits (to the extent they have a choice and such remediation isn’t legally compelled).
3) The surprisingly pro-plaintiff ruling from the normally business-friendly Seventh Circuit makes me wonder if even judges are personally feeling all the data breaching of going around. Once it gets personal, it seems like judges become more pro-plaintiff.